Juniper Route-failover in a typical DUAL ISP scenario

IN FIGURE 1 WE HAVE THE SAMPLE CONFIGURATION OF BFD-LIVENESS DETECTION APPLICATION WITH DUAL ISP SCENARIO. WE WANT TO TEST THE DUAL ISP FAILOVER. THIS MEANS THAT IF OUR MAIN PROVIDER ISP2 IS DOWN THE ROUTE SHOULD BE SWITCHED TO BACKUP ISP1. AS A TARGET WE HAVE DESTINATION ROUTER WITH LOOPBACK INTERFACE LO0 CONFIGURED. LET'S ASSUME THAT ROUTERS ARE NOT DIRECTLY CONNECTED BUT CONNECTED ON OPPOSITE ENDS OF AN ETHERNET SWITCH OR WAN TRANSPORT GEAR.  A FAILURE ON ONE SIDE OF THE LINK LEAVES THE LINK UP ON THE OTHER SIDE. FIBER CUTS, CLUMSY ENGINEERS, FAILED EQUIPMENT ALL CAN CAUSE A STATIC ROUTE BLACKHOLE. SO LET'S SEE HOW CAN WE PROTECT AGAINST THIS TYPE OF FAILURE?



Interface Configuration on Edge Router 

set interfaces em0 unit 0 family inet address 192.168.0.1/24
set interfaces em1 unit 0 family inet address 192.168.1.2/24
set interfaces em2 unit 0 family inet address 192.168.2.1/24


Interface Configuration on ISP1 Router 

set interfaces em0 unit 0 family inet address 192.168.0.4/24
set interfaces em1 unit 0 family inet address 192.168.1.3/24
set interfaces em2 unit 0 family inet address 192.168.20.1/24


Interface Configuration on ISP2 Router 


set interfaces em0 unit 0 family inet address 192.168.0.5/24
set interfaces em1 unit 0 family inet address 192.168.2.2/24
set interfaces em2 unit 0 family inet address 172.16.1.1/24

Interface Configuration on Destination Router 

set interfaces em0 unit 0 family inet address 192.168.0.6/24
set interfaces em1 unit 0 family inet address 192.168.20.2/24
set interfaces em2 unit 0 family inet address 172.16.1.2/24
set interfaces lo0 unit 0 family inet address 192.168.163.1/24  ->loopback interface we gonna ping

 Static Routes Configuration on Edge Router

set routing-options static route 192.168.20.0/24 next-hop 192.168.1.3 ->Main Route to 192.168.20.0 subnet
set routing-options static route 172.16.1.0/24 next-hop 192.168.2.2  ->Route to 172.16.1.0 subnet
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.1.3 preference 8 -> Backup Route to destination router
*Here you can see the preference number to indicate which route should be a backup.
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.2.2 bfd-liveness-detection version automatic
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.2.2 bfd-liveness-detection minimum-interval 200
set routing-options static route 192.168.163.0/24 qualified-next-hop 192.168.2.2 bfd-liveness-detection transmit-interval minimum-interval 200

*As you can see we have configured the Bidirectional Forwarding Detection (BFD) - the protocol that was created to detect link failures very quickly. In a routed environment, this is especially useful when two Layer 3 devices are connected to a Layer 2 device in the middle. The problem is that the ISP2 Router link could go down on Edge Router, but IPS1 would not detect the failure until the protocol timed out as a result of its local link remaining up. See more about BFD configuration in Juniper docs. 

Static Routes Configuration on ISP1 Router

set routing-options static route 192.168.163.0/24 next-hop 192.168.20.2 ->or
set routing-options static route 0.0.0.0/0 next-hop 192.168.20.2

Static Routes Configuration on ISP2 Router

set routing-options static route 192.168.163.0/24 next-hop 172.16.1.2
set routing-options static route 192.168.2.0/24 next-hop 192.168.2.1 ->Route to 192.168.2.0 subnet on Edge Router
set routing-options static route 192.168.2.0/24 bfd-liveness-detection version automatic
set routing-options static route 192.168.2.0/24 bfd-liveness-detection minimum-interval 200
set routing-options static route 192.168.2.0/24 bfd-liveness-detection transmit-interval minimum-interval 200

*Note: If BFD is configured only on one end of a static route (Edge Router), the route is removed from the routing table. BFD establishes a session when BFD is configured on both ends of the static route. Therefore we have indicated the route to Edge Router and applied bfd on ISP2.
Get more information about Configuring Bidirectional Forwarding Detection on http://www.getgreennetworking.com/techpubs/en_US/junos11.1/information-products/topic-collections/config-guide-routing/index.html?topic-36024.html.


Static Routes Configuration on Destination Router

set routing-options static route 192.168.20.0/24 next-hop 192.168.20.1 ->test route
set routing-options static route 192.168.1.0/24 qualified-next-hop 192.168.20.1 preference 8 ->Backup Route to 192.168.1.0 subnet
set routing-options static route 172.16.1.0/24 next-hop 172.16.1.1 ->test route
set routing-options static route 192.168.2.0/24 qualified-next-hop 172.16.1.1 preference 7 ->Main Route to 192.168.2.0 subnet

Now let's try to trace the route from Edge Router to Destination Router loopback interface lo0:

root> traceroute 192.168.163.1
traceroute to 192.168.163.1 (192.168.163.1), 30 hops max, 40 byte packets
 1  192.168.2.2 (192.168.2.2)  3.378 ms  3.980 ms  2.852 ms
 2  192.168.163.1 (192.168.163.1)  3.019 ms  4.995 ms  5.126 ms

We can see that the route goes through  ISP2 (main provider) to Destination Router (loopback interface). Now let's disconnect the link between Edge and ISP2 and trace the route again:

root> traceroute 192.168.163.1   
traceroute to 192.168.163.1 (192.168.163.1), 30 hops max, 40 byte packets
 1  192.168.1.3 (192.168.1.3)  62.144 ms  3.702 ms  3.892 ms
 2  192.168.163.1 (192.168.163.1)  4.508 ms  2.603 ms  2.421 ms

As you see an alternative route is activated (through ISP1) because of the route preferences which has been indicated on the Edge Router. Now it's time to check if the route will be switched to main IPS2 when link between the Edge and ISP2 is up again. 

root> traceroute 192.168.163.1   
traceroute to 192.168.163.1 (192.168.163.1), 30 hops max, 40 byte packets
 1  192.168.2.2 (192.168.2.2)  4.310 ms  2.717 ms  3.425 ms
 2  192.168.163.1 (192.168.163.1)  2.879 ms  2.772 ms  3.405 ms

The result is positive due to bfd configuration on Edge and ISP2 routers. The Destination Router is reachable again via ISP2 (main provider) router. Described method has one serious disadvantage, because bfd protocol should be configured on both ends of the link  - on Edge and ISP2 what sometimes becomes impossible on Provider side.
Next time I will show you the same scenario without bfd configuration on Provider side or any scripts application.

This lab was created on VMWare JunosOlive version 10.4R1.9. 



IP MONITORING WITH FBF (FILTER BASED FORWARDING IN A DUAL ISP SCENARIO)

THE IP MONITORING WITH ROUTE FAILOVER FEATURE IS AVAILABLE FROM 11.2 RELEASE. THIS ARTICLE DEALS WITH THE SPECIFIC CONFIGURATION OF THIS FEATURE TO PERFORM A ROUTE-FAILOVER IN A TYPICAL DUAL ISP SCENARIO. 



  • We have two ISPs one terminating on ge-0/0/0 & the other on ge-0/0/1.

  • The primary default gateway for the traffic is via ge-0/0/0. 

But we also need to perform a Filter Based Forwarding (FBF) for a subnet 10.10.10.0/24. For this subnet, the default primary gateway should be via ge-0/0/1.

Additionally, we need to perform a failover in each of the instance (inet.0 and the Routing-Instance), depending on the reach via the respective interfaces. 


We will configure RPM probe tests & corresponding action for each instance.

Routing-Instance Configuration

set routing-instances FBF-1 instance-type forwarding ---------------> First Routing Instance
set routing-instances FBF-1 routing-options static route 0.0.0.0/0 next-hop 1.1.1.1



set routing-instances FBF-2 instance-type forwarding ---------------> Second Routing Instance
set routing-instances FBF-2 routing-options static route 0.0.0.0/0 next-hop 2.2.2.2
Interfaces 
set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.2/24 ------------> First ISP Network
set interfaces ge-0/0/1 unit 0 family inet address 2.2.2.1/24 ------------> Second ISP Network

set interfaces ge-0/0/2 unit 0 family inet filter input F1
set interfaces ge-0/0/2 unit 0 family inet address 10.10.10.1/24 --------> LAN Network
 Firewall Filter Configuration

set firewall filter F1 term 1 from source-address 10.10.10.2/32
set firewall filter F1 term 1 then routing-instance FBF-2

set firewall filter F1 term 2 from source-address 0.0.0.0/0
set firewall filter F1 term 2 then routing-instance FBF-1

 RPM Configuration
set services rpm probe Probe-Server test testsvr target address 1.1.1.1 ---------> RPM Probes test for the target in First ISP.
set services rpm probe Probe-Server test testsvr probe-count 10
set services rpm probe Probe-Server test testsvr probe-interval 5
set services rpm probe Probe-Server test testsvr test-interval 10
set services rpm probe Probe-Server test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server test testsvr thresholds total-loss 5
set services rpm probe Probe-Server test testsvr destination-interface ge-0/0/0.0
set services rpm probe Probe-Server test testsvr next-hop 1.1.1.1


set services rpm probe Probe-Server1 test testsvr target address 2.2.2.2 ---------> RPM Probes test for the target in Second ISP.
set services rpm probe Probe-Server1 test testsvr probe-count 10
set services rpm probe Probe-Server1 test testsvr probe-interval 5
set services rpm probe Probe-Server1 test testsvr test-interval 0
set services rpm probe Probe-Server1 test testsvr thresholds successive-loss 10
set services rpm probe Probe-Server1 test testsvr thresholds total-loss 5
set services rpm probe Probe-Server1 test testsvr destination-interface ge-0/0/1.0
set services rpm probe Probe-Server1 test testsvr next-hop 2.2.2.2

IP-Monitoring Configuration
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server
set services ip-monitoring policy Server-Tracking then preferred-route routing-instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First Routing Instance

set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1
set services ip-monitoring policy Server-Tracking1 then preferred-route routing-instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 
------> Installs route in Second Routing Instance
 Note: In case you need to change only the route in inet.0 (and not in the customized routing-instance), remove routing-instance <instance-name> from the IP-Monitoring configuration. 

Note
: 
  • In the above solution, two RPM probes are created, one for each forwarding type routing-instances is used namely - FBF-1 and FBF-2. When the RPM probes to 1.1.1.1 (which is the next-hop of ge-0/0/0.0 interface) fail, the route route 0.0.0.0/0 next-hop 2.2.2.2 gets installed in the FBF-1 routing-instance .

    Similarly, the route 0.0.0.0/0 next-hop 1.1.1.1  will be installed in the FBF-2 routing-instance, if the probes to 2.2.2.2 fail.

  • This solution works for reth interfaces as well.

  • The target IP can be any IP that is reachable, from the particular link we wish to monitor. Preferably keep it as ISP's network.

  • It is assumed that rest of the configuration required for a stateful firewall to work (e.g. Security Zones & Policies etc.) is already done.

    For configuring the rest of the SRX features, refer to  KB15694 - SRX Getting Started - Configuration Examples & Troubleshooting (JumpStation).

  • Timings & intervals mentioned in the above example are indicative only. You can set it according to your networks requirement. 

  • For additional information on how IP-monitoring route failover works, refer to the Junos® OS 11.2 Release Notes.
Verification:


To verify, run the following command: 

user@SRX> show services ip-monitoring status all   [  WHEN Probe for ISP-2 has failed  ]
Policy - Payment-Server-Tracking
RPM Probes:
Probe name                    Address    Status
---------------------- ---------------- ---------
Probe-Server           1.1.1.1   PASS        ----------------------------------> Result of the RPM
Route-Action:
route-instance      route               next-hop      State
----------------- ----------------- ---------------- -------------
   FBF-1            0.0.0.0/0         2.2.2.2           NOT-APPLIED    -----------------------------------> Action Taken

Policy - Payment-Server-Tracking1
RPM Probes:
Probe name                  Address     Status
---------------------- ---------------- ---------
Probe-Server1    192.168.1.109  Failed      -----------------------------------> RESULT of the RPM 
Route-Action:
route-instance          route          next-hop        State
----------------- ----------------- ----------------   -------------
FBF-2                 0.0.0.0/0         1.1.1.1         APPLIED     
--------------------------------------------> Action Taken


The Output of the route table will be as under:
> show route |no-more


inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04

Local via ge-0/0/1.0



FBF-1.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 00:00:09
> to 1.1.1.1 via ge-0/0/0.0  -----------------> NO Change in ROUTE
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

FBF-2.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/1] 00:00:10 ------------> Note that this route has a preference value of 1 instead of 5 [default for static].
> to 1.1.1.1 via ge-0/0/0.0 --------------> CHANGE in INSTALLED ROUTE
10.10.10.0/24 *[Direct/0] 00:24:56
> via ge-0/0/2.0
10.10.10.1/32 *[Local/0] 00:25:04
Local via ge-0/0/2.0
1.1.1.0/24 *[Direct/0] 00:00:09
> via ge-0/0/0.0
1.1.1.2/32 *[Local/0] 00:25:04
Local via ge-0/0/0.0
2.2.2.0/24 *[Direct/0] 00:05:17
> via ge-0/0/1.0
2.2.2.1/32 *[Local/0] 00:25:04
Local via ge-0/0/1.0

> show route forwarding-table table FBF-1.inet

Routing table: FBF-1.inet

Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default perm 0 rjct 36 2
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.0/24 intf 0 rslv 582 1 ge-0/0/0.0
1.1.1.0/32 dest 0 1.1.1.0 recv 580 1 ge-0/0/0.0
1.1.1.1/32 dest 0 0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
1.1.1.2/32 intf 0 1.1.1.2 locl 581 3
1.1.1.2/32 dest 0 1.1.1.2 locl 581 3
1.1.1.255/32 dest 0 1.1.1.255 bcst 579 1 ge-0/0/0.0
2.2.2.0/24 intf 0 rslv 586 1 ge-0/0/1.0
2.2.2.0/32 dest 0 2.2.2.0 recv 584 1 ge-0/0/1.0
2.2.2.1/32 intf 0 2.2.2.1 locl 585 3
2.2.2.1/32 dest 0 2.2.2.1 locl 585 3
2.2.2.2/32 dest 0 2.2.2.2 hold 540 1 ge-0/0/1.0
2.2.2.255/32 dest 0 2.2.2.255 bcst 583 1 ge-0/0/1.0
10.10.10.0/24 intf 0 rslv 590 1 ge-0/0/2.0
10.10.10.0/32 dest 0 10.10.10.0 recv 588 1 ge-0/0/2.0
10.10.10.1/32 dest 0 00:24:dc:24:f9:f0 ucst 36 2
10.10.10.2/32 intf 0 10.10.10.2 locl 589 2
10.10.10.2/32 dest 0 10.10.10.2 locl 589 2
10.10.10.255/32 dest 0 10.10.10.255 bcst 587 1 ge-0/0/2.0
224.0.0.0/4 perm 0 mdsc 35 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1
255.255.255.255/32 perm 0 bcst 32 1

>show route forwarding-table table FBF-2.inet
Routing table: FBF-2.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
default user 0 indr 262143 2
0:26:88:e6:d2:0 ucst 539 3 ge-0/0/0.0
default perm 0 rjct 545 2
0.0.0.0/32 perm 0 dscd 543 1
1.1.1.0/24 user 0 rtbl 1 3
1.1.1.2/32 user 0 1.1.1.2 locl 581 3
2.2.2.0/24 user 0 rtbl 1 3
2.2.2.1/32 user 0 2.2.2.1 locl 585 3
10.10.10.1/32 user 0 rjct 545 2
224.0.0.0/4 perm 0 mdsc 544 1
224.0.0.1/32 perm 0 224.0.0.1 mcst 517 1
255.255.255.255/32 perm 0 bcst 541 1



Comments

Popular posts from this blog

HPE MSR series router NAT, DHCP, SSH config

Juniper SRX Routing Instances Configuration and Importing Routes to and from virtual routers

Install Junos with USB